fix: fix gcp permissions for gcp relay in terraform module (JIRA https://stacklet.atlassian.net/browse/ENG-5290) #5
Conversation
hiteshmck
changed the title
hiteshmck
changed the title
|
|
||
| project = local.project_id | ||
| role = each.value | ||
| member = "serviceAccount:${data.google_project.gcp_project.number}-compute@developer.gserviceaccount.com" |
There was a problem hiding this comment.
This might only make sense when we have create_project set and so we probably only want to do it when we are creating the project:
terraform-gcp-stacklet-relay/bootstrap/main.tf
Lines 6 to 15 in 90fd290
Otherwise we should just expect the project_id they give us to have proper permissions set and we shouldn't try to modify it.
There was a problem hiding this comment.
@sontek If we don't want to use terraform to give their project compute sa any permissions, we should atleast have some documentation sayting this is the minimum permissions we expect on the google compute service account.
And if we are documenting this, why not automate, if we can.
Just some thoughts....
There was a problem hiding this comment.
I wouldn't expect us to have access to modify IAM if we don't have access to compute. Most companies lock down IAM more than any other service.
We definitely should have documentation for the permissions necessary though. We shouldn't leave it up to the customer to guess what permissions they need.
But if they are passing in project_id its because they want us to use a project they created without modifications because its most likely controlled by IaC on their end and any changes we make to it will be reverted with the IaC that controls it
There was a problem hiding this comment.
Thx for the feedback.
For Epsilon, they are using their own project and still expect the terraform to work out of the box, by giving permission to the service accounts it needs in the terraform itself.
Maybe a middle ground be to add documentation about extra permissions, and at the same time, have a setting in terraform to control , if they want our terraform to give additional permissions as well for their project.
Does it make sense ?
There was a problem hiding this comment.
I'm not a big fan of allowing a customer to pass in a project ID but then trying to modify that project after the fact. Most customers will not expect that behavior. Maybe if create_project is false we could use the datasource to verify the proper permissions are there?
Untested but something like:
data "google_project_iam_policy" "project" {
project = var.project_id
}
output "check_if_role_exists" {
value = contains([
for binding in data.google_project_iam_policy.project.bindings :
binding.role
], "roles/compute.admin")
}
with whatever roles are necessary? Although I think documentation attached to the project_id var is enough
|
Thx @sontek and @howbazaar , I incoroprated the comments. Please review. |
ENG-XXXX
Based on the freshdesk ticket https://stacklet.freshdesk.com/a/tickets/1199, Epsilon is having some issues with gcp relay setup on their side.
I setup my gcp project to setup gcp relay myself and had following observations and some fixes which are would be in the PR.
My Setup :
Observations
Change # 1
"roles/artifactregistry.writer", --needed for cloudbuild to create cloud run function
"roles/logging.logWriter", --needed for cloudbuild to write cloudbuild logs
"roles/storage.objectViewer" --needed to access intermediary bucket created by google cloud to hold source code. documentation link https://cloud.google.com/functions/docs/tutorials/terraform
Change # 2
So I specifically included stacklet-relay(or var.service_acount) in event trigger.
var.service_account has the roles/cloudfunctions.invoker for the cloud function already in terraform, so its the intended role to call the cloud function.
e.g.
event_trigger {
trigger_region = var.location
event_type = "google.cloud.pubsub.topic.v1.messagePublished"
pubsub_topic = google_pubsub_topic.asset_feed[0].id
retry_policy = "RETRY_POLICY_RETRY"
service_account_email = var.service_account --this line here is added
}